Fwd: pkinit SAN and EKU checking
Henry B. Hotz
hotz at jpl.nasa.gov
Mon May 14 20:09:43 EDT 2007
I expect that it will be common for the certs on a smart card to be
issued by a different CA from the cert used by the KDC.
Certs issued by a KCA/KX509 service may or may not use the same CA as
either of the above, though it seems more likely they (and any
relevant TLS-protected services) would share CA's with the KDC than
with the card issuers.
On May 14, 2007, at 4:32 PM, krbdev-request at mit.edu wrote:
> Date: Mon, 14 May 2007 17:12:04 -0500
> From: "Douglas E. Engert" <deengert at anl.gov>
> Subject: Re: Fwd: pkinit SAN and EKU checking
> To: Kevin Coffman <kwc at citi.umich.edu>
> Cc: MIT Kerberos Developers <krbdev at mit.edu>
> Message-ID: <4648DEB4.90203 at anl.gov>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Kevin Coffman wrote:
>> Sam suggested I forward this here. Comments/suggestions welcome.
> What about mixed environments where some certs (may be issued by
> a local CA) and some others are issued by some external CA.
> So are you sans and eku checking based on the issuer CA?
> Examples could be using PIV smart cards issued by federal
> government for a small number of outside users, with most
> users using soft certs issued by local site.
> It looks like external could always be used if needed.
> but then all uses would have to be handled that way.
More information about the krbdev